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WHAT IS CLAIMED IS: 

1 . A computer readable medium including instructions executable by 
a processor-based system, said computer readable medium comprising: 

code for replacing address information in a system call table with address 
information associated with a plurality of wrapper functions; and 

code for defining said plurality of wrapper functions, said plurality of 
wrappers functions transferring processing control to system call routines, said 
plurality of wrapper functions retrieving parameters associated with said system 
call routines, said plurality of wrapper functions utilizing said parameters to 
generate audit data, and said plurality of wrapper functions writing said audit data 
to a buffer. 

2. The computer readable medium of claim 1 further comprising: 
code for copying said system call table to a new memory location as an 

original system call table copy before replacing said system call table with 
address information associated with said plurality of wrapper functions. 

3. The computer readable medium of claim 2 wherein at least one of 
said plurality of wrapper functions is operable to examine memory information of 
said original system call table copy and is operable to transfer control to a system 
call routine associated with said memory information. 

4. The computer readable medium of claim 1 further comprising: 
code for examining an amount of audit data in said buffer; and 

code for writing said audit data to an audit file when the amount of audit 
data in said buffer exceeds a predetermined amount. 

5. The computer readable medium of claim 1 wherein at least one of 
said plurality of wrapper functions comprises code for performing a logical 
comparison of said parameters against predefined criteria to determine whether to 
write audit data to said buffer. 
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6. A method for generating audit data comprising the steps of: 
placing a wrapper function in memory; 

writing address information into an entry of a system call table, said 
address information being associated with said wrapper function; and 

transferring processing control to said wrapper function, said wrapper 
function transferring processing control to a system call routine, retrieving 
parameters associated with said system call routine, utilizing said parameters to 
generate audit data, and writing said audit data to a buffer. 

7. The method of claim 6 wherein said entry is associated with a 
vector, said method further comprising the step of: 

generating a system call utilizing said vector. 

8. The method of claim 6 further comprising the steps of: 
copying an original entry in said system call table associated with said 

vector to a new location. 

9. The method of claim 8 further comprising the steps of: 
accessing said copy of an original entry to obtain memory information 

related to said system call routine; and 

transferring processing control to said system call routine. 

10. The method of claim 6 wherein said step of transferring processing 
control includes generating a software interrupt. 

1 1 . The method of claim 6 further comprising the step of: 
disabling said wrapper function by restoring original address information 

to said entry of said system call table. 

12. The method of claim 6 wherein said wrapper function performs a 
logical comparison between said parameters and predefined criteria to determine 
whether to write audit data to said buffer. 
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13. The method of claim 6 further comprising the steps of: 
examining the amount of audit data in said buffer; and 
writing said audit data to an audit file, when said amount of audit data 
exceeds a predetermined amount. 
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14. A computer system for generating audit data associated with 
system calls, said computer system comprising: 

means for receiving processing control, said means for receiving being 
operable to transfer processing control to a system call routine and being operable 
to generate audit data associated with said system call routine; and 

means for transferring control to said means for receiving, wherein said 
means for transferring control includes a system call table with address 
information associated with said means for receiving processing control. 

15. The computer system of claim 1 4 further comprising: 

means for creating a copy of an original system call table, and wherein 
said means for receiving processing control is operable to determine the memory 
location of said kernel system call routine by accessing said copy of said original 
system call table. 

16. The computer system of claim 14 wherein said means for receiving 
processing control includes means for writing audit data to an audit buffer. 

17. The computer system of claim 16 further comprising: 
means for monitoring an amount of audit data in said audit buffer; and 
means for writing buffered audit data to an audit file when said amount of 

audit data exceeds a predetermined amount. 
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